Weekly Security Advisory: EnGarde Community 3.0.17 & IPSec Insights

Guardian Digital is happy to announce the release of EnGarde Secure Community 3.0.17 (Version 3.0, Release 17). This release includes many updated packages and bug fixes, some feature enhancements to Guardian Digital WebTool and the SELinux policy, and a few new features.

In distribution since 2001, EnGarde Secure Community was one of the very first security platforms developed entirely from open source, and has been engineered from the ground-up to provide users and organizations with complete, secure Web functionality, DNS, database, e-mail security and
even e-commerce.

When IP VPNs came on the scene in the late 1990s IPSec quickly established itself as the standard to provide secure network-layer connectivity over insecure IP networks, typically the Internet.

The article brings up an interesting point about the increased complexity that comes along with many IPSec connections - the more people who wish to establish these VPNs, the more cumbersome it gets due to maintenance and installation procedures. System administrators may be interested in finding out how SSL VPNs are on the rise and can provide an alternative to repeated setups.

news/network-security/ipsec-vs-ssl-vpns

"Despite my heart-felt feelings that we should support different people in trying out different things, one of the issues is also that I'm obviously not myself a security person. I can 'decree' all I want, but in the end, I really want the people *involved* to merge security stuff," Linus Torvalds explained during the ongoing discussions surrounding the Linux Security Modules code. He added, "there's the 'core LSM hooks' on one side, but there's also the 'what modules make any sense at all to merge?' on the other, and I really don't have the expertise to make any sensible judgments except for the pure 'process' judgment that we should not hardcode things to just one module!"

Debate in the security world still goes on. I feel this debate is only going to help Linux security. I am glad to see more then one LSM being looked at by the security community. What do you think, does this debate hurt or help Linux security?

Mozilla Corp. will rush another version of Firefox to users as early as next week, the company's user interface designer said Tuesday, to fix five bugs it introduced in last Wednesday's security update.

Firefox 2.0.0.8 patched ten vulnerabilities, including three critical flaws, but also shipped with five regression bugs -- problems unintentionally introduced when code was changed to plug other holes.

What do you think about the amount of Firefox security flaws being found. One thing is true is that they are taking the time to fix them and release patches as fast as possible to the end users.

news/network-security/mozilla-rushes-to-fix-regression-bugs-in-firefox

This document describes how to set up a chrooted SSH/SFTP environment on Fedora 7. The chrooted users will be jailed in a specific directory where they can't break out. They will be able to access their jail via SSH and SFTP.

This is a good howto for those wishing to experiment with chroots, SFTP, and SSH configurations in an attempt to gain reliable, secure connections. What home-brewed chrooting tips have you come up with over the years?

news/network-security/chrooted-sshsftp-on-fedora-7-21751

I give up. You should too. It's time to stop trying to secure users' Web browsers, and instead just throw them away. We can't stop users from clicking on the wrong links or going to compromised Web sites. We can't eliminate drive-by worm infections or block zero-day rootkits.

Is virtualization the answer to browser security? With virtualiztion no matter how badly damaged the users platform is, it can be easily reinstalled. Is this better then spending tons of time on setting up a very secure network for your user's?

A brief introduction into the first steps a beginner can take to pursue Linux security.

What straightforward suggestions would you give them about how to secure their Linux system? Obviously, there's overlap between the different operating systems ("Use a strong password" applies just as well to Linux boxes as to the others), but we're particularly interested in Linux-specific tips.

It has a good number of links and a little insight about each. If you are looking for a quick overview, stop on by.

Malicious hackers and other assorted bad guys looking for new tools for plying their trade this upcoming holiday season will have plenty of toys and services to choose from.

As we get closer to the holidays, I look forward to ogling / wishing / debating over the items listed in any "top holiday buys" catalogs. However, it looks like there are other people wishing to be on Santa's naughty list AND get gifts - check out the article for a look into a recent trend with organized cyber crime. When do you think they'll have their own Home Shopping Network time slot?

news/vendors-products/a-hackers-holiday-shopping-list

In a brief follow up to the earlier pluggable security discussion, Thomas Fricaccia reflected on the implications for the various security frameworks, "I noticed James Morris' proposal to eliminate the LSM in favor of ordaining SELinux as THE security framework forever and amen, followed by the definitive decision by Linus that LSM would remain." He then commented on a recent merged patch preventing the loading of security modules into a running kernel, "but then I noticed that, while the LSM would remain in existence, it was being closed to out-of-tree security frameworks. Yikes! Since then, I've been following the rush to put SMACK, TOMOYO and AppArmor 'in-tree'." Linus Torvalds replied:


What do you think about the latest Security Frameworks being included into the upstream Linux Kernel? What I found interesting was the latest patch prevents the loading of security modules into a running kernel.

In an exclusive interview with Wired News, gun-for-hire hacker Robert Anderson tells for the first time how the Motion Picture Association of America promised him money and power if he provided confidential information on TorrentSpy, a popular BitTorrent search site.

Read on for an account of Hollywood-style hacker plots - big bad company hires young hacker to obtain vital information, hacker uses savvy to accomplish goal, +1 to the lore of hack0rz. In actuality, the "hack" was nothing more than a weak password, and the retrieval of the "vital information" was nothing more than some reconfigurations of email forwarding. I think the most interesting (and important) aspect of this act was the fact that the hacker-for-hire "knew the network very well", showing once again that these types of attacks are almost always 90% or more planned out rather than improvised. -1 to Hollywood "I can hack anything anytime" lore. How do you feel about the MPAA's tactics?

news/hackscracks/exclusive-i-was-a-hacker-for-the-mpaa